Representing Security Specifications in UML State Machine Diagrams

Security specifications are controls and constraints on the behavior of the software and can be used to develop more secure software from the beginning. Many specification languages have been proposed to represent security specifications. However, all these specification languages are at a higher level of abstraction and can only be used to represent overall business-level design decisions. Such specifications provide guidance to the developers but do not lay out the details of the dynamic behavior that has to be implemented during the coding phase. In this paper, we propose to use UML state machine diagrams to represent detailed dynamic behavior of design-level security specifications. We argue that these behaviors when used by the developer for implementation will enable them to avoid crucial security vulnerabilities.